Linux is a secure OS. Even the Linux kernel includes many security systems built in to keep desktops and servers safe.
There are two subsystems that are designed specifically for the security of those systems. Security-Enhanced Linux (SELinux) and AppArmor both provide isolation between applications that limit the attack plane, which a hacker can use to gain access to a system. Although both systems have the same goal, they work in different ways.
Differences between SELinux and AppArmor
It’s important to understand that certain Linux distributions default to either AppArmor or SELinux. For example, RHEL, Rocky Linux, AlmaLinux, CentOS Stream and Fedora all use SELinux.
On the other hand, Ubuntu, Debian, SUSE Linux Enterprise Server, openSUSE and most all Ubuntu/Debian derivatives use AppArmor. Admins can install SELinux on Ubuntu/Debian-based distributions, but it is not recommended to install AppArmor on RHEL-based distributions. SELinux is not exclusive to only RHEL-based distributions.
SELinux is more difficult to use than AppArmor. However, along with that complexity comes far more control of how processes — thereby apps — are isolated. Because of the high complexity of SELinux, some admins wind up disabling it if they aren’t familiar with how it works, thereby leaving a system vulnerable.
AppArmor is much easier to learn and use, so it is rarely — if ever — disabled. With that in mind, AppArmor is often considered the safer choice. However, admins that need more control should use SELinux.
SELinux defines access controls for applications, processes and files on a system with security policies. Those policies define what users can or cannot access. Unless a policy is defined for a process, app or directory, SELinux won’t allow access to it. This system is built into the kernel of the system.
AppArmor uses profiles to determine what files and permissions an application requires. Each system also uses certain features differently.
Access control
SELinux uses security policies based on file labels, whereas AppArmor uses policies that are based on paths.
AppArmor provides mandatory access control to supplement traditional discretionary access control.
MLS/MCS
Multilevel security (MLS) is a security scheme that enforces the Bell-LaPadula mandatory access model, which defines users and processes as subjects. Files, devices and other components are called objects. Both subjects and objects are given a security level that defines a subject’s clearance or an object’s classification.
Multicategory security (MCS), on the other hand, uses categories that are attached to objects and granted to subjects. MCS was originally added to SELinux to make it more user-friendly and enable users to categorize without increasing the difficulty for sys admins.
SELinux uses both MLS and MCS, whereas AppArmor uses neither.
Components
SELinux is composed of a few key components, including the following:
- Subject — such as a process.
- Access Vector Cache — a cache of permissions.
- Security Server — the heart of SELinux.
- SELinux Policy Database — contains security policies.
- Objects — such as files, sockets, pipes or network interfaces.
- Kernel module — the module that makes SELinux possible.
AppArmor uses a few key components, such as the following:
- Server analyzer scans ports and determines which applications are listening. This component also detects if an application doesn’t have a profile and if the server needs to confine it.
- Profile generator analyzes an application to create a profile template.
- Optimizer logs and gathers events.
Policy rules and control levels
There are two SELinux policies that are available to a system:
- Targeted is the default policy that implements access control for a targeted process. Each process is run in a confined domain to dramatically limit process access to files.
- MLS.
SELinux also includes three modes:
- Enforcing is the default mode and enforces the loaded security policy across the system.
- Permissive is when the system logs all activity but does not deny activity.
- Disabled is when SELinux is disabled on a system.
AppArmor works with two types of rules in a profile:
- Paths determine which files an app or process can access.
- Capabilities specify the privilege that a confined process can use.
There are two AppArmor modes:
- Enforce means the policy is enforced.
- Complain means policy violations are only logged.
Advantages and disadvantages of AppArmor
The biggest advantage of AppArmor is that it’s simple to use. This is often one of the reasons why an admin might choose a Ubuntu-based distribution over a RHEL-based distribution. While AppArmor might not offer the level of control found with SELinux, it offers more ease of use.
Because of that simplicity, AppArmor doesn’t offer nearly the level of flexibility as SELinux. On top of this, SELinux offers more levels of control than AppArmor.
Another disadvantage to AppArmor is that it adds additional startup time for the OS, whereas SELinux does not.
Feature | SELinux | AppArmor |
Access control | Uses security policies based on file labels. | Uses security policies based on paths. |
MLS/MCS | Uses both MLS and MCS. | Uses neither MLS nor MCS. |
Policy rules and control levels | Offers more policy flexiblility. | Offers less policy flexibility. |
Ease of use | SELinux is harder to learn than AppArmor. | Easier to learn and use than SELinux. |
Distributions | Available to most distributions. | Mainly used on SUSE and Ubuntu/Debian distributions. |
Advantages and disadvantages of SELinux
The biggest advantage to SELinux is that it’s flexible. SELinux is also widely considered to be the more secure of the two since it is MLS-compatible.
At the same time, SELinux is difficult to learn. Not only are the command-line tools challenging, but it’s also often hard to debug error messages. On an SELinux machine, even simple tasks such as serving up websites from nontraditional directories can be a challenge. Because of this, SELinux can frustrate new admins.
SELinux vs. AppArmor: The reality of each
AppArmor is best suited for admins who need to consistently solve problems in minutes. On the other hand, SELinux issues can take hours, and sometimes days, to resolve.
At the same time, SELinux machines are harder to hack, whereas I have experienced an AppArmor-based Ubuntu Server distribution that suffered from a rootkit.
For the highest level of security, go with an SELinux-based distribution. If you want a distribution that includes a security system that thwarts attackers and not admins, go with an AppArmor-based distribution.